From c0b7481a1d83ca3eb75bf04698925c9f93dc84fe Mon Sep 17 00:00:00 2001 From: Rob Ballantyne Date: Sun, 18 Feb 2024 20:38:20 +0000 Subject: [PATCH] Update readme for new auth [skip ci] --- README.md | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 793a9f6..e101b62 100644 --- a/README.md +++ b/README.md @@ -164,20 +164,32 @@ Example usage: `docker run -e STANDARD_VAR1="this value" -e STANDARD_VAR2="that ## Security -By default, all exposed web services other than the port redirect page are protected by HTTP basic authentication. +All ai-dock containers are interactive and will not drop root privileges. You should ensure that your docker daemon runs as an unprivileged user. -The default username is `user` and the password is `password`. +### System -You can set your credentials by passing environment variables as shown above. +A system user will be created at startup. The UID will be either 1000 or will match the UID of the `$WORKSPACE` bind mount. + +The user will share the root user's ssh public key. + +Some processes may start in the user context for convenience only. + +### Web Services -The password is stored as a bcrypt hash. If you prefer not to pass a plain text password to the container you can pre-hash and use the variable `WEB_PASSWORD_HASH`. +By default, all exposed web services are protected by a single login form at `:1111/login`. + +The default username is `user` and the password is auto generated unless you have passed a value in the environment variable `WEB_PASSWORD`. To find the auto-generated password and related tokens you should type `env | grep WEB_` from inside the container. + +You can set your credentials by passing environment variables as shown above. If you are running the image locally on a trusted network, you may disable authentication by setting the environment variable `WEB_ENABLE_AUTH=false`. -The Coturn turn server username is `user` and a random password is generated on startup. You can overide this behaviour by supplying `COTURN_USER` and `COTURN_PASSWORD` environment variables. +If you need to connect programmatically to the web services you can authenticate using either `Bearer $WEB_TOKEN` or `Basic $WEB_PASSWORD_B64`. + +The security measures included aim to be as secure as basic authentication, i.e. not secure without HTTPS. Please use the provided cloudflare connections wherever possible. >[!NOTE] ->You can use `set-web-credentials.sh ` change the username and password in a running container. +>You can use `set-web-credentials.sh ` to change the username and password in a running container. ## Provisioning script